Splunk Search

How to list my splunk admin users list and last login details.

RASHO123
New Member

I have a about 250 Admin users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

This search will look at all the login attempts , but does not contains roles informations.
to get the role /user mapping you need a rest call search.

Remarks :
- remember that they may be more than one role per user
- understand that if a role inherit from the role admin, you will not see it in the list.

index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user | convert ctime(last_login)

So you can add a join after to get the list of roles for each user.

  index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user | convert ctime(last_login) 
  | join user [ |rest /services/authentication/users | fields title roles  |rename title AS user ]

If you want to filter ahead only for members of the admin role, you can try this prefilter condition

 [ |rest /services/authentication/users | fields title roles  |rename title AS user | mvexpand roles |rename roles as role | where role="admin" ] 
index=_audit "action=login attempt" | stats first(_time) AS last_login first(info) AS last_detail by host user 
| convert ctime(last_login) 
| join user [ |rest /services/authentication/users | fields title roles  |rename title AS user ]
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...